Panera’s attempt to downplay data breach backfires

When the bakery and restaurant chain tried to say only 10,000 accounts were leaked online, security reporters were ready to prove them wrong. Here are some lessons from this PR misstep.

When responding to a crisis, it’s important to be fast—and accurate.

When Panera Bread executives learned that reporters had discovered a security flaw in its website that had potentially leaked millions of customer accounts—including names, home addresses and the last four digits of credit cards—the company immediately patched the site and reached out to news outlets.

Even when security analysts first notified Panera of the problem, its response was tepid. Security reporter Bran Krebs detailed how the company had responded to reports that its site was vulnerable.

He wrote:

KrebsOnSecurity learned about the breach earlier today after being contacted by security researcher Dylan Houlihan, who said he initially notified Panera about customer data leaking from its Web site back on August 2, 2017.

A long message thread that Houlihan shared between himself and Panera indicates that Mike Gustavison, Panera’s director of information security, initially dismissed Houlihan’s report as a likely scam. A week later, however, those messages suggest that the company had validated Houlihan’s findings and was working on a fix.

Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort.

After the story was published by Krebs, Panera went on the record with Fox Business stating that the breach was minimal, estimating that fewer than 10,000 customers were affected.

It reported:

“Panera takes data security very seriously, and this issue is resolved,” Panera Bread Chief Information Officer John Meister said in a statement to FOX Business. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

Meister added: “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”

That’s when Krebs, and other security insiders, got angry.

After questioning Panera’s numbers, Krebs did a little more digging and discovered the website was far more compromised than had been understood—and that the original problem hadn’t been fixed after all.

Krebs clearly was furious over how Panera had responded to his reporting.

His final recommendation? Rebuild the website from scratch.

In a strange twist, Krebs discovered via LinkedIn that the head of digital security for Panera was a former employee of Equifax, the credit data firm that lost over 100 million customer records to hackers last year.

The breach highlights the problem of customer loyalty reward programs that offer limited benefits in exchange for data.

The Washington Post wrote:

As with so many other data breaches, this one raises questions for consumers. In some respects, it’s grown ever more difficult to avoid e-commerce transactions. Many people now manage their personal banking on mobile apps. And consumers appreciate the convenience of ordering goods online. Every relationship and transaction raises the possibility of a data breach.

But loyalty programs, which promise perks and convenience in exchange for personal data, are another realm. And Panera’s breach makes one wonder: Is a free sandwich worth the hassle of having personal identifying information floating into the wrong hands?

This data breach is just the latest in a series of data-themed crises for companies from tech giants such as Facebook to major retailers including Saks Fifth Avenue. As communicators learn more and more about what the public wants in response to these data losses, some rules have emerged:

1. Be quick to respond—but don’t fudge the details.

Although staying silent, as Facebook did, elicited criticism and ensured the company would lose control of the story, Panera’s inaccurate response sparked the ire of reporters and security experts. Companies shouldn’t expect journalists to give them a pass as security experts push for tougher reporting and accountability on these stories.

In his blog, the researcher who first discovered the Panera vulnerability called for more accountability.

He wrote:

We could collectively afford to be more critical of companies when they issue reactionary statements to do damage control. We need to hold them to a higher standard of accountability. I honestly don’t know what that looks like for the media, but there has to be a better way to do thorough, comprehensive reporting on this.

Companies should be ready to provide it.

2. Treat reporters with courtesy.

If you do an end run around one reporter and go to another outlet to spin your story, you are being rude to the reporter who first reached out to you. Journalists won’t take that lying down.

3. Be humble.

As tech security evolves, the chances that your system will be compromised seem to grow. As difficult as it may be, when your data is breached, it is essential to show a little humility. Don’t assume you know the full extent of the damage; offer an apology.

4. Start an investigation, and follow up.

When Saks Fifth Avenue learned it had leaked credit card details formillions of customers, it stated it would investigate the full reach of the crisis and provide more data at a later time. Investigations can protect the party being investigated from scrutiny and negative media coverage by acknowledging the problem and delivering on promises for more information.

How would you advise Panera to repair its media relationships?

(Image via)

COMMENT Daily Headlines

Sign up to receive the latest articles from directly in your inbox.